??

app-i18n/yaskkserv2: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

app-shells/mcfly: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

app-shells/nushell: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

dev-util/rustup: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

dev-util/wachy: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

dev-vcs/mercurial: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

dev-python/adblock: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

dev-db/{mariadb,mysql,percona-server,mysql-connector-c}: ENABLED_LOCAL_INFILE in the client is exploitable by the server

??

dev-util/bingrep: 'cargo audit' reports one or more bundled CRATES as vulnerable

??

[Tracker] Go x/text DoS via crafted Accept-Language header

CVE-2022-32149

linux kernel: multiple vulnerabilities in Xen
sys-apps/portage uses /var/tmp insecurely
[Tracker] UAF in Expat's xmlparse.c:doContent
[Tracker] Vulnerabilty in app-arch/qpress
[Tracker] Prometheus basic authentication bypass via exporter-toolkit
[Tracker] Denial of service in Go's net/http
[Tracker] Denial of service in Go's crypto/ssh
[Tracker] nuget credential leakage
Use-after-free in Zen 2 processors ("zenbleed")
[Tracker] MySQL DoS (Oracle CPU Oct 2023)
RUSTSEC-2023-0075: unsafe-libyaml: Unaligned write of u64 on 32-bit and 16-bit platforms
GHSA-c827-hfw6-qwvm: rustix: memory explosion leading to potential DOS
[Tracker] runc container breakout vulnerability
[Tracker] CUPS vulnerabilities on 2024-09-26
[Tracker] Vulnerability in 7zip's zstandard (zstd) implementation
dev-libs/xmlrpc-c[-libxml2] uses vulnerable bundle of dev-libs/expat from many years ago
media-libs/giflib buffer overflow
media-libs/giflib path traversal vulnerability in gifinto utility
net-print/cups-filters, net-print/libcupsfilters: multiple vulnerabilities

Major

<app-editors/emacs-{26.3-r19,27.2-r17,28.2-r13,29.3-r3} <app-emacs/org-mode-9.7.5: org-mode command execution vulnerability

CVE-2024-39331

Normal

net-misc/wget: Authorisation header disclosure on redirect (CVE-2021-31879)

CVE-2021-31879

Normal

<dev-lang/R-4.0.4: code execution via malicious CRAN package (CVE-2020-27637)

CVE-2020-27637

Normal

<dev-python/idna-3.7: potential DoS via resource consumption via specially crafted inputs to idna.encode()

CVE-2024-3651

Normal

<kde-apps/konsole-24.12.3-r1, <kde-apps/konsole-25.04.2: Incorrect telnet scheme handling

CVE-2025-49091

Normal

sys-apps/man2html: multiple vulnerabilities

CVE-2021-40647 CVE-2021-40648

Minor

dev-libs/libtomcrypt: Out of bounds read (CVE-2019-17362)

CVE-2019-17362

Minor

sci-libs/hdf5: multiple vulnerabilities

CVE-2020-10809 CVE-2020-10810 CVE-2020-10811 CVE-2020-10812 CVE-2021-45829 CVE-2021-45830 CVE-2021-45832 CVE-2021-45833 CVE-2021-46242 CVE-2021-46243 CVE-2021-46244

sci-libs/hdf5: heap buffer overread

Minor

sci-libs/hdf: Multiple vulnerabilities

CVE-2018-14031 CVE-2018-14032 CVE-2018-14033 CVE-2018-14034 CVE-2018-14035

Minor

dev-libs/keystone: multiple vulnerabilities (CVE-2020-{36404,36405})

CVE-2020-36404 CVE-2020-36405

Normal

[Tracker] HTTP/2 Rapid Reset vulnerability

CVE-2023-44487

Tracked bugs: 8 open / 14 total

??

[Tracker] Vulnerability in gstreamer (CVE-2021-3522)

CVE-2021-3522

Tracked bugs: 1 open / 2 total

??

[Tracker] Packages misusing libsoup API for TLS validation

Tracked bugs: 5 open / 5 total

??

[Tracker] NO STARTTLS collection of vulnerabilities

Tracked bugs: 2 open / 18 total

??

[Tracker] ElGamal Plaintext Recovery in dev-libs/botan

CVE-2021-40529

Tracked bugs: 1 open / 2 total

??

[Tracker] "KeyTrap" DNS DoS vulnerability

CVE-2023-50387 CVE-2023-50868

Tracked bugs: 4 open / 5 total

??

[TRACKER] kernel: Meltdown and Spectre - A flaw in modern processors (CVE-2017-{5715,5753,5754})

Tracked bugs: 1 open / 7 total

??

[TRACKER] hw: cpu: speculative execution branch target injection (CVE-2017-5715)

CVE-2017-5715

Tracked bugs: 1 open / 11 total

??

[Tracker] Terrapin Vulnerability

CVE-2023-48795

Tracked bugs: 4 open / 10 total

??

[Tracker] Mozilla Foundation Security Advisory for May 14/15th, 2024

CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 MSFA2024-21 MSFA2024-22 MSFA2024-23

Tracked bugs: 263 open / 10000 total

Major

media-libs/libmad: Dos (memory corruption) via crafted MP3 files

CVE-2017-11552

Major

dev-python/reportlab: remote code execution

CVE-2023-33733

Major

app-arch/unzip: null pointer dereference

CVE-2021-4217

Major

app-admin/doas: vulnerable to privilege escalation via TIOCSTI/TIOCLINUX command injection

CVE-2023-28339

Normal

dev-python/pip: Possible code execution via untrusted packages from external indexes (CVE-2018-20225)

CVE-2018-20225

Normal

x11-libs/cairo: NULL pointer dereference with a crafted font file (CVE-2017-7475)

CVE-2017-7475

Normal

media-libs/plib: integer overflow leading to code execution (CVE-2021-38714)

CVE-2021-38714

Normal

sys-devel/flex: Stack exhaustion in mark_beginning_as_normal causing denial of service (CVE-2019-6293)

Normal

dev-embedded/u-boot-tools: unbounded memcpy in nfs

CVE-2022-30767

Normal

sys-devel/patch: invalid free vulnerability

CVE-2021-45261

sys-devel/patch: Double free allowing DoS in another_hunk (CVE-2019-20633)

Normal

app-text/djvu: multiple vulnerabilities (CVE-2021-{3500,32490,32491,32492,32493})

CVE-2021-32490 CVE-2021-32491 CVE-2021-32492 CVE-2021-32493 CVE-2021-3500

Normal

www-misc/awstats: Arbitrary code execution (CVE-2020-35176)

CVE-2020-35176

Normal

dev-db/redis: integer overflow via bundled hiredis

Normal

sys-apps/busybox: multiple vulnerabilities

CVE-2022-28391 CVE-2022-30065

Normal

net-dns/avahi: multiple DoS vulnerabilities

CVE-2021-3468 CVE-2021-3502 CVE-2021-36217 CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473

Normal

media-libs/tiff: crafted input results in out-of-memory

CVE-2023-6277

Normal

app-text/htmltidy: arbitrary code execution

CVE-2021-33391

Normal

media-sound/sox: multiple vulnerabilities

CVE-2021-23159 CVE-2021-23172 CVE-2021-23210 CVE-2021-33844 CVE-2021-3643 CVE-2021-40426 CVE-2022-31650 CVE-2022-31651 CVE-2023-26590 CVE-2023-32627 CVE-2023-34318 CVE-2023-34432

Normal

sys-boot/grub: multiple vulnerabilities

CVE-2025-54770 CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664

sys-boot/grub: Multiple vulnerabilities

Minor

sys-libs/db: Berkeley DB reads DB_CONFIG from the current working directory

CVE-2017-10140

Critical

dev-libs/stb: multiple vulnerabilities

CVE-2023-43281 CVE-2023-43898 CVE-2023-45661 CVE-2023-45662 CVE-2023-45663 CVE-2023-45664 CVE-2023-45666 CVE-2023-45667 CVE-2023-45675 CVE-2023-45676 CVE-2023-45677 CVE-2023-45678 CVE-2023-45679 CVE-2023-45680 CVE-2023-45681 CVE-2023-45682

Critical

net-wireless/wpa_supplicant: possible privilege escalation

CVE-2024-5290

Major

sys-cluster/slurm: Incorrect Authorization

CVE-2024-48936

Major

www-client/firefox{-bin,}: multiple vulnerabilities

CVE-2025-3608

Major

mail-client/thunderbird{-bin,}: multiple vulnerabilities

CVE-2025-2830 CVE-2025-3523

Major

net-libs/webkit-gtk: multiple vulnerabilities

CVE-2025-43392 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429 CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434 CVE-2025-43440

Major

app-containers/containerd: multiple vulnerabilities

CVE-2024-25621 CVE-2025-64329 GHSA-m6hq-p25p-ffr2 GHSA-pwhc-rpq9-4c8w

Normal

net-analyzer/fail2ban: code exection via malicious whois responses (CVE-2021-32749)

CVE-2021-32749

Normal

<sys-devel/gcc-12.1.0: Unicode "bidirectional override" (CVE-2021-42574)

Normal

<dev-lang/python-{3.8.13_p8, 3.9.13_p6, 3.10.6_p4, 3.11.0_rc1_p2}, dev-python/pypy{,3}: Denial of service via abuse of bignum int type

CVE-2020-10735

Major

app-emulation/open-vm-tools: local privilege escalation on guest VM

CVE-2025-41244

Major

<www-servers/tomcat-{9.0.111,10.1.48,11.0.13}: multiple vulnerabilities

CVE-2025-55752 CVE-2025-61795

Major

<net-fs/samba-{4.21.9,4.22.5,4.23.2}: multiple vulnerabilities

CVE-2025-10230 CVE-2025-9640

Normal

<net-misc/openssh-10.1_p1: Control characters allowed on command line / via configuration

CVE-2025-61984

Normal

<dev-db/redis-8.2.3:0/8.2: Bug in XACKDEL may lead to stack overflow and potential RCE

CVE-2025-62507

Minor

<dev-ruby/rails-{7.1.5.2:7.1,7.2.2.2:7.2,8.0.2.1:8.0}: Multiple Vulnerabilities

CVE-2025-24293 CVE-2025-55193

Minor

(CVE-2025-11230) <net-misc/haproxy-{2.8.16,3.0.12,3.1.9,3.2.6} / mjson DoS

CVE-2025-11230

Minor

<dev-ruby/rack-{2.2.19:2.2,3.1.17:3.1,3.2.2:3.2}: multiple vulnerabilities

CVE-2025-61770 CVE-2025-61771 CVE-2025-61772

<dev-ruby/rack-{2.2.20:2.2,3.1.18:3.2,3.2.3:3.2}: multiple vulnerabilities

Minor

<dev-ruby/rack-{2.2.20:2.2,3.1.18:3.2,3.2.3:3.2}: multiple vulnerabilities

CVE-2025-61780 CVE-2025-61919

<dev-ruby/rack-{2.2.19:2.2,3.1.17:3.1,3.2.2:3.2}: multiple vulnerabilities

Minor

<net-libs/webkit-gtk-2.50.1: multiple vulnerabilities

CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356 CVE-2025-43368

Major

<app-containers/runc-{1.2.8,1.3.3}: Multiple vulnerabilities

CVE-2025-31133 CVE-2025-52565 CVE-2025-52881

Normal

<mail-mta/sendmail-8.18.1: smtp smuggling

CVE-2023-51765

Minor

<dev-db/pgagent-4.2.3: Insecure temporary directory use

CVE-2025-0218

Minor

<net-misc/sslh-2.2.4: Multiple vulnerabilities

CVE-2025-46806 CVE-2025-46807

Critical

<dev-lang/spidermonkey-128.9.0: multiple vulnerabilities

<dev-lang/spidermonkey-128.4.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.5.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.6.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.8.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.13.0: multiple vulnerabilities

Major

<sys-apps/coreutils-9.4-r1: split heap buffer overflow vulnerability

CVE-2024-0684

<sys-apps/coreutils-9.5: chmod -R TOCTOU vulnerability

Major

<net-analyzer/cacti-1.2.26: multiple vulnerabilities

CVE-2022-46169 CVE-2023-30534 CVE-2023-31132 CVE-2023-39357 CVE-2023-39358 CVE-2023-39359 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39365 CVE-2023-39510 CVE-2023-39511 CVE-2023-39512 CVE-2023-39513 CVE-2023-39514 CVE-2023-39515 CVE-2023-39516

Major

<dev-lang/orc-0.4.40: Stack-based buffer overflow when formatting error messages for certain input files.

CVE-2024-40897

Major

<dev-lang/spidermonkey-128.4.0: multiple vulnerabilities

<dev-lang/spidermonkey-128.5.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.6.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.8.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.9.0: multiple vulnerabilities
<dev-lang/spidermonkey-128.13.0: multiple vulnerabilities

Major

<sys-process/atop-2.11.1: heap corruption

CVE-2025-31160

Major

<x11-libs/gtk+-3.24.48: Search path vulnerability

CVE-2024-6655

Major

<mail-client/roundcube-1.6.11 : Post-Auth RCE via PHP Object Deserialization

<mail-client/roundcube-1.6.8: XSS vulnerability

Major

<sys-libs/pam-1.7.1: Multiple vulnerabilities

CVE-2024-10963 CVE-2025-6020

Major

<media-libs/openh264-2.6.0: Decoding functions heap overflow

CVE-2025-27091 GHSA-m99q-5j7x-7m9x

Major

<mail-client/thunderbird{-bin,}-128.13.0: multiple vulnerabilities

mail-client/thunderbird: august 2025 vulnerabilities, <142.0 & <140.2.0 & <128.14.0
mail-client/thunderbird: <144.0 & <140.4.0 October 2025 vulnerabilities

960565, 961886, 964432

Major

<www-client/firefox{-bin,}-{128.13.0,140.1.0,141.0}: multiple vulnerabilities

www-client/firefox: <142.0 & <140.2.0 & <128.14.0 august 2025 vulnerabilities
www-client/firefox: <143.0 & <140.3.0 september 2025 vulnerabilities
www-client/firefox: <144.0 & <140.4.0 October 2025 vulnerabilities
www-client/firefox: <145.0 & <140.5.0 November 2025 vulnerabilities

960564, 961884, 962992, 964338, 966044

Major

www-client/firefox: <142.0 & <140.2.0 & <128.14.0 august 2025 vulnerabilities

<www-client/firefox{-bin,}-{128.13.0,140.1.0,141.0}: multiple vulnerabilities
www-client/firefox: <144.0 & <140.4.0 October 2025 vulnerabilities
www-client/firefox: <145.0 & <140.5.0 November 2025 vulnerabilities

961884, 960564, 964338, 966044

Major

mail-client/thunderbird: august 2025 vulnerabilities, <142.0 & <140.2.0 & <128.14.0

<mail-client/thunderbird{-bin,}-128.13.0: multiple vulnerabilities
mail-client/thunderbird: <144.0 & <140.4.0 October 2025 vulnerabilities

961886, 960565, 964432

Major

www-client/firefox: <143.0 & <140.3.0 september 2025 vulnerabilities

<www-client/firefox{-bin,}-{128.13.0,140.1.0,141.0}: multiple vulnerabilities
www-client/firefox: <144.0 & <140.4.0 October 2025 vulnerabilities
www-client/firefox: <145.0 & <140.5.0 November 2025 vulnerabilities

962992, 960564, 964338, 966044

Major

<dev-lang/python-{3.9.21_p1:3.9,3.10.16_p1:3.10,3.11.11_p1:3.11,3.12.8:3.12,3.13.1:3.13,3.13.1_p1-r100:3.13t,3.14.0_alpha2:3.14,3.14.0_alpha2-r100:3.14t}: Virtual environment (venv) activation scripts don't quote paths

CVE-2024-9287

<dev-lang/python-{0.3.13.5_p1,0.3.14.0_rc1_p1,3.9.23_p2,3.10.18_p2,3.11.13_p1,3.12.11_p1,3.13.5_p1,3.14.0_rc1_p1}, <dev-lang/pypy-3.11.7.3.20_p2: HTMLParser quadratic complexity when processing malformed inputs (and more HTMLParser vulnerabilities)
<dev-lang/python-{0.3.13.5_p1,0.3.14.0_rc1_p1,3.9.23_p2,3.10.18_p2,3.11.13_p1,3.12.11_p1,3.13.5_p1,3.14.0_rc1_p1}, <dev-lang/pypy-3.11.7.3.20_p2: Tarfile infinite loop during parsing with negative member offset

942077, 958449, 960868

Major

mail-client/thunderbird: <144.0 & <140.4.0 October 2025 vulnerabilities

<mail-client/thunderbird{-bin,}-128.13.0: multiple vulnerabilities
mail-client/thunderbird: august 2025 vulnerabilities, <142.0 & <140.2.0 & <128.14.0

964432, 960565, 961886

Major

<net-misc/asterisk security-{18.26.3,20.15.2,21.10.2,22.5.2}: GHSA-mrq5-74j5-f5cr & GHSA-v9q8-9j8m-5xwp & GHSA-64qc-9x89-rx5j

CVE-2025-1131 CVE-2025-49832 CVE-2025-57767 GHSA-64qc-9x89-rx5j GHSA-mrq5-74j5-f5cr GHSA-v9q8-9j8m-5xwp

Major

<media-gfx/gimp-{2.10.38-r3,3.0.6}: XWD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVE-2025-10934 GHSA-wv7v-cchq-8fjh ZDI-25-978

Major

<dev-java/commons-beanutils-1.11.0: PropertyUtilsBean does not suppresses an enum's declaredClass property by default

CVE-2025-48734